8311877: [macos] Add CLI options to provide signing identity directly to codesign and productbuild

Reviewed-by: asemenyuk

Author: Alexander Matveev

src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacAppBundler.java

@@ -85,6 +85,13 @@ public MacAppBundler() {
                 },
             (s, p) -> s);
 
+    public static final BundlerParamInfo<String> APP_IMAGE_SIGN_IDENTITY =
+            new StandardBundlerParam<>(
+            Arguments.CLIOptions.MAC_APP_IMAGE_SIGN_IDENTITY.getId(),
+            String.class,
+            params -> "",
+            null);
+
     public static final BundlerParamInfo<String> BUNDLE_ID_SIGNING_PREFIX =
             new StandardBundlerParam<>(
             Arguments.CLIOptions.MAC_BUNDLE_SIGNING_PREFIX.getId(),
@@ -127,14 +134,21 @@ private static void doValidate(Map<String, ? super Object> params)
         // reject explicitly set sign to true and no valid signature key
         if (Optional.ofNullable(
                     SIGN_BUNDLE.fetchFrom(params)).orElse(Boolean.FALSE)) {
-            String signingIdentity =
-                    DEVELOPER_ID_APP_SIGNING_KEY.fetchFrom(params);
-            if (signingIdentity == null) {
-                throw new ConfigException(
-                        I18N.getString("error.explicit-sign-no-cert"),
-                        I18N.getString("error.explicit-sign-no-cert.advice"));
+            // Validate DEVELOPER_ID_APP_SIGNING_KEY only if user provided
+            // SIGNING_KEY_USER.
+            if (!SIGNING_KEY_USER.getIsDefaultValue(params)) { // --mac-signing-key-user-name
+                String signingIdentity =
+                        DEVELOPER_ID_APP_SIGNING_KEY.fetchFrom(params);
+                if (signingIdentity == null) {
+                    throw new ConfigException(
+                            I18N.getString("error.explicit-sign-no-cert"),
+                            I18N.getString("error.explicit-sign-no-cert.advice"));
+                }
             }
 
+            // No need to validate --mac-app-image-sign-identity, since it is
+            // pass through option.
+
             // Signing will not work without Xcode with command line developer tools
             try {
                 ProcessBuilder pb = new ProcessBuilder("/usr/bin/xcrun", "--help");

src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacAppImageBuilder.java

@@ -25,8 +25,10 @@
 
 package jdk.jpackage.internal;
 
+import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.PrintStream;
 import java.io.Writer;
 import java.nio.file.Files;
 import java.nio.file.Path;
@@ -53,7 +55,10 @@
 import jdk.internal.util.OSVersion;
 import static jdk.jpackage.internal.MacAppBundler.BUNDLE_ID_SIGNING_PREFIX;
 import static jdk.jpackage.internal.MacAppBundler.DEVELOPER_ID_APP_SIGNING_KEY;
+import static jdk.jpackage.internal.MacAppBundler.APP_IMAGE_SIGN_IDENTITY;
 import static jdk.jpackage.internal.MacBaseInstallerBundler.SIGNING_KEYCHAIN;
+import static jdk.jpackage.internal.MacBaseInstallerBundler.SIGNING_KEY_USER;
+import static jdk.jpackage.internal.MacBaseInstallerBundler.INSTALLER_SIGN_IDENTITY;
 import static jdk.jpackage.internal.OverridableResource.createResource;
 import static jdk.jpackage.internal.StandardBundlerParam.APP_NAME;
 import static jdk.jpackage.internal.StandardBundlerParam.CONFIG_ROOT;
@@ -395,12 +400,25 @@ private void doSigning(Map<String, ? super Object> params)
             } catch (InterruptedException e) {
                 Log.error(e.getMessage());
             }
-            String signingIdentity =
-                    DEVELOPER_ID_APP_SIGNING_KEY.fetchFrom(params);
+            String signingIdentity = null;
+            // Try --mac-app-image-sign-identity first if set
+            if (!APP_IMAGE_SIGN_IDENTITY.getIsDefaultValue(params)) {
+                signingIdentity = APP_IMAGE_SIGN_IDENTITY.fetchFrom(params);
+            } else {
+                // Check if INSTALLER_SIGN_IDENTITY is set and if it is set
+                // then do not sign app image, otherwise use --mac-signing-key-user-name
+                if (INSTALLER_SIGN_IDENTITY.getIsDefaultValue(params)) {
+                    // --mac-sign and/or --mac-signing-key-user-name case
+                    signingIdentity = DEVELOPER_ID_APP_SIGNING_KEY.fetchFrom(params);
+                }
+            }
             if (signingIdentity != null) {
                 signAppBundle(params, root, signingIdentity,
                         BUNDLE_ID_SIGNING_PREFIX.fetchFrom(params),
                         ENTITLEMENTS.fetchFrom(params));
+            } else {
+                // Case when user requested to sign installer only
+                signAppBundle(params, root, "-", null, null);
             }
             restoreKeychainList(params);
         } else if (OperatingSystem.isMacOS()) {
@@ -715,6 +733,25 @@ private static List<String> getCodesignArgs(
         return args;
     }
 
+    private static void runCodesign(ProcessBuilder pb, boolean quiet)
+                                                            throws IOException {
+        try (ByteArrayOutputStream baos = new ByteArrayOutputStream();
+             PrintStream ps = new PrintStream(baos)) {
+            try {
+            IOUtils.exec(pb, false, ps, false,
+                         Executor.INFINITE_TIMEOUT, quiet);
+            } catch (IOException ioe) {
+                // Log output of "codesign" in case of
+                // error. It should help user to diagnose
+                // issue when using --mac-app-image-sign-identity
+                Log.info(MessageFormat.format(I18N.getString(
+                         "error.tool.failed.with.output"), "codesign"));
+                Log.info(baos.toString().strip());
+                throw ioe;
+            }
+        }
+    }
+
     static void signAppBundle(
             Map<String, ? super Object> params, Path appLocation,
             String signingIdentity, String identifierPrefix, Path entitlements)
@@ -781,8 +818,7 @@ static void signAppBundle(
                             p.toFile().setWritable(true, true);
                             ProcessBuilder pb = new ProcessBuilder(args);
                             // run quietly
-                            IOUtils.exec(pb, false, null, false,
-                                    Executor.INFINITE_TIMEOUT, true);
+                            runCodesign(pb, true);
                             Files.setPosixFilePermissions(p, oldPermissions);
                         } catch (IOException ioe) {
                             toThrow.set(ioe);
@@ -810,8 +846,7 @@ static void signAppBundle(
                 List<String> args = getCodesignArgs(true, path, signingIdentity,
                             identifierPrefix, entitlements, keyChain);
                 ProcessBuilder pb = new ProcessBuilder(args);
-
-                IOUtils.exec(pb);
+                runCodesign(pb, false);
             } catch (IOException e) {
                 toThrow.set(e);
             }
@@ -842,8 +877,7 @@ static void signAppBundle(
         List<String> args = getCodesignArgs(true, appLocation, signingIdentity,
                 identifierPrefix, entitlements, keyChain);
         ProcessBuilder pb = new ProcessBuilder(args);
-
-        IOUtils.exec(pb);
+        runCodesign(pb, false);
     }
 
     private static String extractBundleIdentifier(Map<String, Object> params) {

src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacBaseInstallerBundler.java

@@ -79,6 +79,13 @@ public abstract class MacBaseInstallerBundler extends AbstractBundler {
             params -> "",
             null);
 
+    public static final BundlerParamInfo<String> INSTALLER_SIGN_IDENTITY =
+            new StandardBundlerParam<>(
+            Arguments.CLIOptions.MAC_INSTALLER_SIGN_IDENTITY.getId(),
+            String.class,
+            params -> "",
+            null);
+
     public static final BundlerParamInfo<String> MAC_INSTALLER_NAME =
             new StandardBundlerParam<> (
             "mac.installerName",

src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacPkgBundler.java

@@ -28,7 +28,9 @@
 import jdk.internal.util.Architecture;
 import jdk.internal.util.OSVersion;
 
+import java.io.ByteArrayOutputStream;
 import java.io.IOException;
+import java.io.PrintStream;
 import java.io.PrintWriter;
 import java.net.URI;
 import java.net.URISyntaxException;
@@ -54,6 +56,8 @@
 import static jdk.jpackage.internal.StandardBundlerParam.SIGN_BUNDLE;
 import static jdk.jpackage.internal.MacBaseInstallerBundler.SIGNING_KEYCHAIN;
 import static jdk.jpackage.internal.MacBaseInstallerBundler.SIGNING_KEY_USER;
+import static jdk.jpackage.internal.MacBaseInstallerBundler.INSTALLER_SIGN_IDENTITY;
+import static jdk.jpackage.internal.MacAppBundler.APP_IMAGE_SIGN_IDENTITY;
 import static jdk.jpackage.internal.StandardBundlerParam.APP_STORE;
 import static jdk.jpackage.internal.MacAppImageBuilder.MAC_CF_BUNDLE_IDENTIFIER;
 import static jdk.jpackage.internal.OverridableResource.createResource;
@@ -605,8 +609,19 @@ private Path createPKG(Map<String, ? super Object> params,
                     Log.verbose(I18N.getString("message.signing.pkg"));
                 }
 
-                String signingIdentity =
-                        DEVELOPER_ID_INSTALLER_SIGNING_KEY.fetchFrom(params);
+                String signingIdentity = null;
+                // --mac-installer-sign-identity
+                if (!INSTALLER_SIGN_IDENTITY.getIsDefaultValue(params)) {
+                    signingIdentity = INSTALLER_SIGN_IDENTITY.fetchFrom(params);
+                } else {
+                    // Use --mac-signing-key-user-name if user did not request
+                    // to sign just app image using --mac-app-image-sign-identity
+                    if (APP_IMAGE_SIGN_IDENTITY.getIsDefaultValue(params)) {
+                        // --mac-signing-key-user-name
+                        signingIdentity = DEVELOPER_ID_INSTALLER_SIGNING_KEY.fetchFrom(params);
+                    }
+                }
+
                 if (signingIdentity != null) {
                     commandLine.add("--sign");
                     commandLine.add(signingIdentity);
@@ -638,7 +653,21 @@ private Path createPKG(Map<String, ? super Object> params,
             commandLine.add(finalPKG.toAbsolutePath().toString());
 
             pb = new ProcessBuilder(commandLine);
-            IOUtils.exec(pb, false, null, true, Executor.INFINITE_TIMEOUT);
+
+            try (ByteArrayOutputStream baos = new ByteArrayOutputStream();
+                 PrintStream ps = new PrintStream(baos)) {
+                try {
+                    IOUtils.exec(pb, false, ps, true, Executor.INFINITE_TIMEOUT);
+                } catch (IOException ioe) {
+                    // Log output of "productbuild" in case of
+                    // error. It should help user to diagnose
+                    // issue when using --mac-installer-sign-identity
+                    Log.info(MessageFormat.format(I18N.getString(
+                             "error.tool.failed.with.output"), "productbuild"));
+                    Log.info(baos.toString().strip());
+                    throw ioe;
+                }
+            }
 
             return finalPKG;
         } catch (Exception ignored) {
@@ -702,14 +731,19 @@ public boolean validate(Map<String, ? super Object> params)
             // reject explicitly set sign to true and no valid signature key
             if (Optional.ofNullable(
                     SIGN_BUNDLE.fetchFrom(params)).orElse(Boolean.FALSE)) {
-                String signingIdentity =
-                        DEVELOPER_ID_INSTALLER_SIGNING_KEY.fetchFrom(params);
-                if (signingIdentity == null) {
-                    throw new ConfigException(
-                            I18N.getString("error.explicit-sign-no-cert"),
-                            I18N.getString(
-                            "error.explicit-sign-no-cert.advice"));
+                if (!SIGNING_KEY_USER.getIsDefaultValue(params)) {
+                    String signingIdentity =
+                            DEVELOPER_ID_INSTALLER_SIGNING_KEY.fetchFrom(params);
+                    if (signingIdentity == null) {
+                        throw new ConfigException(
+                                I18N.getString("error.explicit-sign-no-cert"),
+                                I18N.getString(
+                                "error.explicit-sign-no-cert.advice"));
+                    }
                 }
+
+                // No need to validate --mac-installer-sign-identity, since it is
+                // pass through option.
             }
 
             // hdiutil is always available so there's no need

src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/resources/MacResources.properties

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2017, 2022, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2017, 2023, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -44,6 +44,7 @@ error.no.xcode.signing.advice=Install Xcode with command line developer tools.
 error.cert.not.found=No certificate found matching [{0}] using keychain [{1}]
 error.multiple.certs.found=WARNING: Multiple certificates found matching [{0}] using keychain [{1}], using first one
 error.app-image.mac-sign.required=Error: --mac-sign option is required with predefined application image and with type [app-image]
+error.tool.failed.with.output=Error: "{0}" failed with following output:
 resource.bundle-config-file=Bundle config file
 resource.app-info-plist=Application Info.plist
 resource.runtime-info-plist=Java Runtime Info.plist

src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/resources/MacResources_de.properties

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2017, 2022, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2017, 2023, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -44,6 +44,7 @@ error.no.xcode.signing.advice=Installieren Sie Xcode mit Befehlszeilen-Entwickle
 error.cert.not.found=Kein Zertifikat gefunden, das [{0}] mit Schlüsselbund [{1}] entspricht
 error.multiple.certs.found=WARNUNG: Mehrere Zertifikate gefunden, die [{0}] mit Schlüsselbund [{1}] entsprechen. Es wird das erste Zertifikat verwendet
 error.app-image.mac-sign.required=Fehler: Die Option "--mac-sign" ist mit einem vordefinierten Anwendungsimage und Typ [app-image] erforderlich
+error.tool.failed.with.output=Error: "{0}" failed with following output:
 resource.bundle-config-file=Bundle-Konfigurationsdatei
 resource.app-info-plist=Info.plist der Anwendung
 resource.runtime-info-plist=Info.plist von Java Runtime

src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/resources/MacResources_ja.properties

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2017, 2022, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2017, 2023, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -44,6 +44,7 @@ error.no.xcode.signing.advice=Xcodeとコマンドライン・デベロッパ・
 error.cert.not.found=キーチェーン[{1}]を使用する[{0}]と一致する証明書が見つかりません
 error.multiple.certs.found=警告: キーチェーン[{1}]を使用する[{0}]と一致する複数の証明書が見つかりました。最初のものを使用します
 error.app-image.mac-sign.required=エラー: --mac-signオプションは、事前定義済アプリケーション・イメージおよびタイプ[app-image]で必要です
+error.tool.failed.with.output=Error: "{0}" failed with following output:
 resource.bundle-config-file=バンドル構成ファイル
 resource.app-info-plist=アプリケーションのInfo.plist
 resource.runtime-info-plist=JavaランタイムのInfo.plist

src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/resources/MacResources_zh_CN.properties

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2017, 2022, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2017, 2023, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -44,6 +44,7 @@ error.no.xcode.signing.advice=安装带命令行开发人员工具的 Xcode。
 error.cert.not.found=使用密钥链 [{1}] 找不到与 [{0}] 匹配的证书
 error.multiple.certs.found=警告：使用密钥链 [{1}] 找到多个与 [{0}] 匹配的证书，将使用第一个证书
 error.app-image.mac-sign.required=错误：预定义的应用程序映像和类型 [app image] 需要 --mac-sign 选项
+error.tool.failed.with.output=Error: "{0}" failed with following output:
 resource.bundle-config-file=包配置文件
 resource.app-info-plist=应用程序 Info.plist
 resource.runtime-info-plist=Java 运行时 Info.plist

src/jdk.jpackage/share/classes/jdk/jpackage/internal/Arguments.java

@@ -338,6 +338,12 @@ public enum CLIOptions {
         MAC_SIGNING_KEY_NAME ("mac-signing-key-user-name",
                     OptionCategories.PLATFORM_MAC),
 
+        MAC_APP_IMAGE_SIGN_IDENTITY ("mac-app-image-sign-identity",
+                    OptionCategories.PLATFORM_MAC),
+
+        MAC_INSTALLER_SIGN_IDENTITY ("mac-installer-sign-identity",
+                    OptionCategories.PLATFORM_MAC),
+
         MAC_SIGNING_KEYCHAIN ("mac-signing-keychain",
                     OptionCategories.PLATFORM_MAC),
 
@@ -631,6 +637,24 @@ private void validateArguments() throws PackagerException {
                         CLIOptions.JLINK_OPTIONS.getIdWithPrefix());
             }
         }
+        if (allOptions.contains(CLIOptions.MAC_SIGNING_KEY_NAME) &&
+            allOptions.contains(CLIOptions.MAC_APP_IMAGE_SIGN_IDENTITY)) {
+                throw new PackagerException("ERR_MutuallyExclusiveOptions",
+                        CLIOptions.MAC_SIGNING_KEY_NAME.getIdWithPrefix(),
+                        CLIOptions.MAC_APP_IMAGE_SIGN_IDENTITY.getIdWithPrefix());
+        }
+        if (allOptions.contains(CLIOptions.MAC_SIGNING_KEY_NAME) &&
+            allOptions.contains(CLIOptions.MAC_INSTALLER_SIGN_IDENTITY)) {
+                throw new PackagerException("ERR_MutuallyExclusiveOptions",
+                        CLIOptions.MAC_SIGNING_KEY_NAME.getIdWithPrefix(),
+                        CLIOptions.MAC_INSTALLER_SIGN_IDENTITY.getIdWithPrefix());
+        }
+        if (isMac && (imageOnly || "dmg".equals(type)) &&
+            allOptions.contains(CLIOptions.MAC_INSTALLER_SIGN_IDENTITY)) {
+                throw new PackagerException("ERR_InvalidTypeOption",
+                        CLIOptions.MAC_INSTALLER_SIGN_IDENTITY.getIdWithPrefix(),
+                        type);
+        }
         if (allOptions.contains(CLIOptions.DMG_CONTENT)
                 && !("dmg".equals(type))) {
             throw new PackagerException("ERR_InvalidTypeOption",